Exports security settings stored in a database configured with security templates.


Secedit /export /db <database file name> [/mergedpolicy] /cfg <configuration file name> [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]


Parameter Description
db Required.
Specifies the path and file name of a database that contains the stored configuration against which the analysis will be performed.
If file name specifies a database that has not had a security template (as represented by the configuration file) associated with it, the /cfg \<configuration file name> command-line option must also be specified.
mergedpolicy Optional.
Merges and exports domain and local policy security settings.
cfg Required.
Specifies the path and file name for the security template that will be imported into the database for analysis.
This /cfg option is only valid when used with the /db \<database file name> parameter. If this is not specified, the analysis is performed against any configuration already stored in the database.
areas Optional.
Specifies the security areas to be applied to the system. If this parameter is not specified, all security settings defined in the database are applied to the system. To configure multiple areas, separate each area by a space. The following security areas are supported:
- SecurityPolicy
Local policy and domain policy for the system, including account policies, audit policies, security options, and so on.
- Group_Mgmt
Restricted group settings for any groups specified in the security template.
- User_Rights
User logon rights and granting of privileges.
- RegKeys
Security on local registry keys.
- FileStore
Security on local file storage.
- Services
Security for all defined services.
log Optional.
Specifies the path and file name of the log file for the process.
quiet Optional.
Suppresses screen and log output. You can still view analysis results by using the Security Configuration and Analysis snap-in to the Microsoft Management Console (MMC).


You can use this command to backup your security policies on a local computer in addition to importing the settings to another computer.

If the path for the log file is not provided, the default log file, (systemroot\Documents and Settings*UserAccount\My Documents\Security\Logs*DatabaseName.log) is used.

In Windows Server 2008, Secedit /refreshpolicy has been replaced with gpupdate. For information on how to refresh security settings, see Gpupdate.


Export the security database and the domain security policies to an inf file and then import that file to a different database in order to replicate the security policy settings on another computer.

Secedit /export /db C:\Security\FY11\SecDbContoso.sdb /mergedpolicy /cfg SecContoso.inf /log C:\Security\FY11\SecAnalysisContosoFY11.log /quiet

Import that file to a different database on another computer.

Secedit /import /db C:\Security\FY12\SecDbContoso.sdb /cfg SecContoso.inf /log C:\Security\FY11\SecAnalysisContosoFY12.log /quiet

Additional References